Uncontrolled External Site Redirect - Host Header Injection - Elixir

Need

Prevent malicious redirection and potential SSRF attacks

Context

Usage of Elixir for functional and concurrent programming
Usage of Plug.Conn for handling HTTP connections in Elixir
Usage of Plug.Conn for request handling

Description

Insecure Code Example

defmodule VulnerableController do
  use MyApp.Web, :controller

  def redirect(conn, _params) do
    redirect_to = conn.host
    conn
    |> put_resp_header("location", redirect_to)
    |> send_resp(302, "")
  end
end

The following Elixir code is vulnerable because it uses the `host` from the `conn` object directly to construct a redirection URL. An attacker could provide a malicious host in the HTTP request's Host header to cause redirection to an external site or possibly exploit SSRF vulnerabilities.

Steps

Add a function to validate the host before using it for redirection.
Do not use the host from the incoming HTTP request directly for generating redirection responses. Instead, use a predefined and validated list of acceptable hosts or a fixed host configured in the application settings.
Use pattern matching or similar to ensure the host matches the expected format.

Secure Code Example

defmodule SecureController do
  use MyApp.Web, :controller

  def redirect(conn, _params) do
    redirect_to = "https://secure.example.com"
    conn
    |> put_resp_header("location", redirect_to)
    |> send_resp(302, "")
  end
end

The following Elixir code is secure because it does not use the `host` from the `conn` object directly. Instead, it uses a predefined host for the redirection, preventing potential misuse of the Host header.

References

023 - Uncontrolled External Site Redirect - Host Header Injection

Last updated

2023/09/18